Precisely. For my organization, I'm looking for a way to quantitatively measure and compare quality/security postures of repos/packages when importing.
Sounds tough. What are your ideas to measure so far?
For the security angle it seems the first naive thing would be to count prior known vulnerabilities, but then, the projects that do absolute worst at that are not going to have discovered their security bugs let alone document them well.
For the security angle it seems the first naive thing would be to count prior known vulnerabilities, but then, the projects that do absolute worst at that are not going to have discovered their security bugs let alone document them well.